BankBot is designed to steal banking credentials and payment information. It tricks users into handing over their bank details by presenting an overlay window which looks identical to a bank's app login page.
The malware is capable of identifying a variety of financial and retail mobile apps on the infected devices and tailors the phishing attack to display a fake version of the banking app the victim uses, if the target bank is recognized by the malware.
If the user uses text messages as a form of two-factor authentication, the malware is also capable of monitoring these in order to provide attackers with all the information they need to raid the victim's banking information
Discovered by researchers at RiskIQ, the latest version of BankBot to infiltrate the Google Play store is disguised as an app called 'Crypto currencies market prices' -- complete with a phony 'Verified by Play Protect' logo in order to make it look as if it is a known and trusted app.
To the user, the app looks as if it is designed for comparing cryptocurrency prices with other forms of money, and is even equipped with a legitimate application for cryptocurrency monitoring -- which is partly how the app manages to bypass Play Store security checks.
By giving the user an app which actually works, the group behind it are increasing the likelihood of achieving their goals, as a user is likely to uninstall an app which crashes or doesn't work.
When initially installed on the device, the app asks for a variety of intrusive permissions, including the ability to read and send messages, access the internet, and write to external storage.
These ultimately provide BankBot with all the permissions it needs to overlay fake login screens, then extract the stolen information and send it back to the attacker -- be to make purchases for themselves, or to sell on the stolen credentials.
The attackers behind BankBot update it regularly. Since first appearing earlier this year, the malware has gained improved code obfuscation, a more sophisticated payload dropping functionality, and the ability to exploit Android's Accessibility Service in a similar way to other forms of mobile banking malware.
Since being detected, the malware distributing 'Crypto currencies market prices' app has been removed from the Google Play Store. The malicious app was downloaded a few thousand times.